Exchange Server 2007: Accessing multiple resource mailboxes in Exchange Web Services

In Exchange 2007 Web Services it is very convenient to access and manage other user's mailbox accounts by using Exchange Impersonation.  This feature enables a caller to impersonate a given account so that the caller can perform operations by using all the original user's permissions.  But for resource mailboxes (room, equipment), because they are created […]

In Exchange 2007 Web Services it is very convenient to access and manage other user's mailbox accounts by using Exchange Impersonation.  This feature enables a caller to impersonate a given account so that the caller can perform operations by using all the original user's permissions.  But for resource mailboxes (room, equipment), because they are created as disabled accounts in Active Directory, Windows can't resolve the specified identity to disabled user accounts, resulting in EWS Impersonation for resource mailboxes to always fails with an "Impersonation fails" error.

Well, since enabling a disabled account on a resource mailbox is NOT a supported configuration, we don't have a workaround for Exchange impersonation to work for resource mailboxes. Instead, the only way to access mailboxes with disabled accounts in EWS is to use Delegate Access.

Below are the steps needed, along with a sample to add delegates on a number of existing resource mailboxes.

1. Setup a webservice account and grant permission for it to access resource mailboxes.

The webservice account is the account set in the ExchangeServiceBinding. Credentials property to send requests to the Exchange Server. We need to add mailbox permissions for this account to allow accessing of resource mailboxes. I wrote a PowerShell script that will do AD searches for all mailboxes associated with disabled accounts, and then automatically add FullAccess permission for service account to all those mailboxes.

Please note: this script is not officially supported by Microsoft.

To use the script, simply put it somewhere on Exchange 2007 Server, specify the alias of the service account as the only parameter. Here is an example:

>.\Add-Res-Mailbox-Permission.ps1 "ServiceAccount"

You should consider testing the script in your lab before using it in your live environment. You can also uncomment the add-content line in the script to output the list of resource mailboxes to a file, and then use it as input info at the next step to add the delegate account.

2. Use EWS AddDelegate function to add a delegate account to those resource mailboxes

The use of AddDelegate and other Delegate access methods along with sample code can be found in Exchange Server 2007 SDK, available at

http://www.microsoft.com/downloads/details.aspx?FamilyID=7A44A56A-1DFD-4C26-B99A-1E680E914444&displaylang=en

Exchange Server 2007, EWS, Mailbox, Tips and Tricks, Knowledgebase, Article

Source:→ Exchange Team Blog